Decentralized application authentication

ABSTRACT

Disclosed are various embodiments for authenticating users of applications using decentralized data models for storing a user&#39;s identity. A fingerprint for a computing device is received from an application executing on the computing device. An identity key associated with the fingerprint for the computing device is then obtained, the identity key being linked to a signed claim. The signed claim is retrieved and evaluated. The application executing on the computing device is then granted access to the computing resource in response to evaluating the signed claim.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of copending U.S. patent applicationSer. No. 16/555,607, entitled “DECENTRALIZED APPLICATION AUTHENTICATION”and filed on Aug. 29, 2019, which is incorporated by reference as if setforth herein in its entirety.

BACKGROUND

Multi-user applications often implement one or more authenticationmechanisms to verify the identity and authenticity of individual usersof the application. These authentication mechanisms can be used toidentify and prevent fraudulent transactions (e.g., authenticationmechanisms implemented by financial websites). As another example, theauthentication mechanisms can be used to verify the identity of a userin order to confirm that a user is authorized to perform a particularoperation or initiate a particular transaction.

However, many authentication mechanisms are often device specific. Forexample, a device fingerprint may be recorded when a user visits a website. Subsequent visits by the user can be authenticated in part basedon whether the same device fingerprint is identified by the application.However, when a user switches devices, a different device fingerprintmay be generated, limiting the utility of the device fingerprint.Likewise, the device fingerprint often has to be authenticatedindependently by each web site visited by the user.

BRIEF DESCRIPTION OF THE DRAWINGS

Many aspects of the present disclosure can be better understood withreference to the following drawings. The components in the drawings arenot necessarily to scale, with emphasis instead being placed uponclearly illustrating the principles of the disclosure. Moreover, in thedrawings, like reference numerals designate corresponding partsthroughout the several views.

FIG. 1 is a drawing of a networked environment according to variousembodiments of the present disclosure.

FIG. 2 is a flowchart illustrating one example of functionalityimplemented as portions of an application executed in a computingenvironment in the networked environment of FIG. 1 according to variousembodiments of the present disclosure.

FIG. 3 is a flowchart illustrating one example of functionalityimplemented as portions of an application executed in a computingenvironment in the networked environment of FIG. 1 according to variousembodiments of the present disclosure.

FIG. 4 is a flowchart illustrating one example of functionalityimplemented as portions of an application executed in a computingenvironment in the networked environment of FIG. 1 according to variousembodiments of the present disclosure.

FIG. 5 is a flowchart illustrating one example of functionalityimplemented as portions of an application executed in a computingenvironment in the networked environment of FIG. 1 according to variousembodiments of the present disclosure.

FIG. 6 is a flowchart illustrating one example of functionalityimplemented as portions of an application executed in a computingenvironment in the networked environment of FIG. 1 according to variousembodiments of the present disclosure.

DETAILED DESCRIPTION

Disclosed are various approaches for implementing a decentralizedauthentication system for authenticating users with applications. Adevice fingerprint associated with a user can be authenticated by afirst application. A record of the authentication of the devicefingerprint can be stored in a decentralized data store, such as adistributed ledger (DL), a distributed hash table (DHT), or otherdecentralized data storage mechanism. When a second application attemptsto authenticate a user that is associated with the same devicefingerprint, the second application can query the decentralized datastore to retrieve the records associated with the user and the devicefingerprint. The second application can then determine whether toauthenticate the user based on how trustworthy the second applicationdetermines the record of the previous authentication by the firstapplication to be. By using a decentralized data store, no single entityis able to control the authentication data that can be used to identifyindividual users. In the following discussion, a general description ofthe system and its components is provided, followed by a discussion ofthe operation of the same.

As illustrated in FIG. 1 , shown is a networked environment 100according to various embodiments. The networked environment 100 includesa computing environment 103, a client device 106, an identity hub 109,and a distributed ledger 113, which are in data communication with eachother via a network 116. The network 116 includes wide area networks(WANs) and local area networks (LANs). These networks can include wiredor wireless components or a combination thereof. Wired networks caninclude Ethernet networks, cable networks, fiber optic networks, andtelephone networks such as dial-up, digital subscriber line (DSL), andintegrated services digital network (ISDN) networks. Wireless networkscan include cellular networks, satellite networks, Institute ofElectrical and Electronic Engineers (IEEE) 802.11 wireless networks(e.g., WI-FI®), BLUETOOTH® networks, microwave transmission networks, aswell as other networks relying on radio broadcasts. The network 116 canalso include a combination of two or more networks 116. Examples ofnetworks 116 can include the Internet, intranets, extranets, virtualprivate networks (VPNs), and similar networks.

The computing environment 103 can include a server computer or any othersystem providing computing capability. Alternatively, the computingenvironment 103 can employ a plurality of computing devices that can bearranged in one or more server banks or computer banks or otherarrangements. Such computing devices can be located in a singleinstallation or can be distributed among many different geographicallocations. For example, the computing environment 103 can include aplurality of computing devices that together can include a hostedcomputing resource, a grid computing resource or any other distributedcomputing arrangement. In some cases, the computing environment 103 cancorrespond to an elastic computing resource where the allotted capacityof processing, network, storage, or other computing-related resourcescan vary over time.

Various applications or other functionality can be executed in thecomputing environment 103 according to various embodiments. Thecomponents executed on the computing environment 103 include a hostedapplication 119, and other applications, services, processes, systems,engines, or functionality not discussed in detail herein.

The hosted application 119 can be executed to provide access to users todata stored in the hosted data store 123 or to perform one or morefunctions or initiate one or more transactions on behalf of a user.Examples of hosted applications 119 include electronic bankingapplications, electronic commerce or shopping applications, social mediaapplications, internet or web-based electronic mail (webmail)applications. However, any application hosted by computing environment103 which identifies or authenticates users may be considered a hostedapplication 119 for the purposes of the various embodiments of thepresent disclosure.

Also, various data can be stored in a hosted data store 123 that isaccessible to the computing environment 103. The hosted data store 123can be representative of a plurality of hosted data stores 123, whichcan include relational databases, object-oriented databases,hierarchical databases, hash tables or similar key-value data stores, aswell as other data storage applications or data structures. The datastored in the hosted data store 123 is associated with the operation ofthe various applications or functional entities described below. Thisdata can include one or more user accounts 126, one or moreauthentication rules 129, and potentially other data.

A user account 126 can represent data associated with an individual userof the hosted application 119. This data can include both data relatedto the identity of the user and data to be used for authenticating auser associated with the user account 126. For instance, the useraccount 126 can include a user identifier 133, one or moreauthentication credentials 136, and one or more device fingerprints 139.

The user identifier 133 represents a unique identifier that allows theuser account 126 to be distinguished from other user accounts 126. Oneexample of a user identifier 133 is a user name. However, other uniquedata points that are associated with a user for sufficiently longdurations may also be used as a user identifier 133 (e.g., emailaddresses, mobile or cellular phone numbers, etc.).

The authentication credentials 136 can represent data that, whenpresented to the hosted application 119, can be used to verify theauthenticity of the user. Accordingly, authentication credential 136 canrepresent a secret that is known only to the user and is verifiable bythe hosted application 119 or an attribute unique to the user andverifiable by the hosted application 119. For example, theauthentication credential 136 could include a password or code knownonly to the user and is stored in encrypted or obfuscated form in thehosted data store 123. As another example, the authentication credential136 could also include biometric data (e.g., fingerprints, retinalimages or scans, facial recognition data, etc.) However, users may havemore than one set of authentication credentials 136 (e.g., in amultifactor authentication (MFA) system). Accordingly, an authenticationcredential 136 could also include a way to verify that a user has aspecific authentication device in his or her possession. For example,the authentication credentials 136 could include the seed for atime-based one-time password (TOTP) or hash-based one-time password(HOTP) system, or the cryptographic token for verifying a challengereceived from a hardware security device (e.g., a device implementingthe universal second factor (U2F) protocol).

The device fingerprints 139 represent a unique identifier associatedwith a client device 106 used by a user to access or interact with thehosted application 119. As a user may interact with the hostedapplication 119 using multiple client devices 106 (e.g., a desktopcomputer and a mobile device such as a smartphone or tablet computer),multiple device fingerprints 139 can be associated with a single useraccount 126. For example, a device fingerprint 139 could includehardware identifiers such as media access control (MAC) addresses of aclient device 106, hardware serial numbers for a client device 106,international mobile equipment identifier (IMEI) numbers associated witha client device 106, and similar hardware identifiers. As anotherexample, a device fingerprint 139 could represent a softwareconfiguration unique to the client device 106, such as a tuplerepresenting the name, version, and configuration options for anapplication installed on the client device 106. One example of such adevice fingerprint 139 is a browser fingerprint representing the uniquecombination of a user-agent string, a list of enabled browser plugins, alist of HTTP_ACCEPT headers supported by the browser, the time zone inwhich the browser is located, the list of system fonts available to thebrowser, whether cookies are enabled for the browser and which cookiesare stored on the browser, the current language enabled for the browser,the current screen resolution and color depth available to the browser,etc. To protect user privacy, these device fingerprints 139 may bestored or transmitted in encrypted or obfuscated form (e.g., as a hashof the device fingerprint 139).

An authentication rule 129 can represent a logical rule for determininghow to authenticate a user associated with a user account 126 and thecriteria used for determining that the user associated with the useraccount 126 is authentic. For example, an authentication rule 129 canspecify the particular types of authentication credentials 136 that mustbe provided by a user or which assertions provided by third-partiesregarding a user account 126 or a device fingerprint 139 can be trusted.

The client device 106 is representative of a plurality of client devicesthat can be coupled to the network 116. The client device 106 caninclude a processor-based system such as a computer system. Such acomputer system can be embodied in the form of a personal computer(e.g., a desktop computer, a laptop computer, or similar device), amobile computing device (e.g., personal digital assistants, cellulartelephones, smartphones, web pads, tablet computer systems, musicplayers, portable game consoles, electronic book readers, and similardevices), media playback devices (e.g., media streaming devices, BluRay®players, digital video disc (DVD) players, set-top boxes, and similardevices), a videogame console, or other devices with like capability.The client device 106 can include one or more displays 143, such asliquid crystal displays (LCDs), gas plasma-based flat panel displays,organic light emitting diode (OLED) displays, electrophoretic ink(“E-ink”) displays, projectors, or other types of display devices. Insome instances, the display 143 can be a component of the client device106 or can be connected to the client device 106 through a wired orwireless connection.

The client device 106 can be configured to execute various applicationssuch as a client application 146 or other applications. The clientapplication 146 can be executed by the client device 106 to accessnetwork content served up by the computing environment 103 or otherservers, thereby rendering a user interface 149 on the display 143. Tothis end, the client application 146 can include a browser or adedicated application (e.g., email applications, social networkingapplications, messaging applications, banking applications, shoppingapplications, etc.), and the user interface 149 can include a networkpage, an application screen, other user mechanism for obtaining userinput.

The client device 106 can execute an authentication client 153, whichcan be used for authenticating a user of the client device 106 with thehosted application 119 executing in the computing environment 103. Theauthentication client 153 can be implemented as a standalone applicationthat authenticates a user on behalf of the client application 146 (e.g.,as a library installed on the client device 106) or as a component ofthe client application 146. For example, the authentication client 153can include a script embedded in or referenced by a web page anddownloaded by a browser.

A client data store 156 can also be present on the client device 106.The client data store 156 can include relational databases,object-oriented databases, hierarchical databases, hash tables orsimilar key-value data stores, as well as other data storageapplications or data structures, which allow the client device 106 tolocally store or cache data used by the client application 146 or theauthentication client 153. The data stored in the client data store 156can include one or more device fingerprints 139 and one or more identitykeys 159.

The identity key 159 can represent a unique address that specifies thelocation where an identity document 163 can be found, such as a networkaddress that specifies a network location of the identity document 163.The identity key 159 can include the storage location where the identitydocument 163 can be found, a unique identifier of the identity document163, and potentially other information. As the identity key 159 canuniquely identity the identity document 163 with respect to otheridentity documents 163, the identity key 159 can also be used as aunique identifier for an individual. An illustrative example of anidentity key 159 is a decentralized identifier (DID) as defined by theWorld Wide Web Consortium (W3C). However, data formats can be used as anidentity key 159 in various embodiments of the present disclosure.

In the example of a DID, the identity key 159 can include a uniqueuniform resource identifier (URI) or unique uniform resource locator(URL) that specifies the type of identity key 159, the specificdistributed ledger 113 in which an identity document 163 can be located,and a identifier of the identity document 163. For example, if anidentity document 163 were stored using an implementation of theETHEREUM protocol, an identity key 159 formatted as a DID has an exampleschema of “did:ethereum:123456abcdefg.” However, if the identitydocument 163 were not stored in a publicly available distributed ledger113, but were instead stored in a privately accessible identity hub 109,then the identity key 159 might instead specify the address of theidentity hub 109 and the unique identifier of the identity document 163.

The identity hub 109 can represent a service or collection of serviceshosted by one or more computing devices and utilized to securely storeidentity documentation for individual users and provide the identitydocumentation in response to authorized requests. For example, theidentity hub 109 can include a credential manager 166 and a vault 169.

The credential manager 166 can be used to perform various functions. Forexample, the credential manager 166 can be used to add, remove, ormodify various data stored in the vault 169 and related to individualusers. As another example, the credential manager 166 can be used toauthenticate individual users and limit access to the vault 169 toauthorized users.

The vault 169 represents a secure data store accessible to thecredential manager 166. Data stored in the vault 169 can be stored in anencrypted form that is only accessible to individual users. Anindividual user can store various types of data in the vault 169,including one or more identity keys 159, one or more identity documents163, one or more verified claims 173, one or more asymmetric key-pairs176, and potentially other data.

An identity document 163 is a document that provides information foridentifying and authenticating a user. An identity document 163 caninclude an identity key 159, which can be used to uniquely identify theidentity document 163 and, therefore, the individual associated with theidentity document 163. An identity document 163 can also include apublic key 179 from the asymmetric key-pair 176 of the user, which canbe used by third-parties to verify a user's identity when presented withdata cryptographically signed by a respective private key from theasymmetric key-pair 176 of the user. The identity document 163 can alsospecify other information related to the identity of the user orinstructions for how to authenticate the identity of the user. Forexample, the identity document 163 may specify which authenticationmechanisms an individual can use to cryptographically prove that he orshe is associated with the identity document 163 and/or the identity key159. An illustrative example of an identity document 163 is adecentralized identifier document (DID Document) as defined by the W3C.However, data formats can be used as an identity document 163 in variousembodiments of the present disclosure.

A verified claim 173 represents a verified assertion made by athird-party about an individual associated with the identity key 159and/or the identity document 163. Accordingly, a verified claim 173 caninclude the identity key 159 of the user for whom the verified claim 173is made, the claim 183 itself, and a cryptographic signature 186provided by the third-party making the claim 183.

The claim 183 represents an assertion about an individual or theindividual's identity. As a first example, the claim 183 could statethat a specific device fingerprint 139 is linked to or associated with aparticular user. More specifically, in some implementations, the claim183 could state that a device fingerprint 139 is linked to or associatedwith a specific identity key 159 or identity document 153. As a secondexample, the claim 183 could state that a user associated with theidentity key 159 is at least a certain age (e.g., a claim by stateagency that an individual user is at least 18 years old or at least 21years old). Such a claim 183 could be used by a user to authenticate hisor her eligibility for age-restricted content or services without havingto divulge his or identity. As third example, a claim 183 could statethat the user is a member of a particular organization (e.g., that auser is an employee of a company or is a member of a particularorganization). Such a claim 183 could be used by a user to authenticatehis or her eligibility for discounts at a retailer based on his or hermembership in the organization or his or her status as an employee of acompany, without having to divulge his or her identity. However, moredetailed information about a user could also be provided in a claim 183,such as the legal name of the user, date of birth, residential addressof the user, or other personally identifying information.

The cryptographic signature 186 can be used to verify the veracity andauthenticity of the claim 183. For example, the cryptographic signature186 can identify the third-party making the assertion and also includeboth a digital signature generated by a private encryption key inpossession of the third-party entity and a digital fingerprintidentifying the corresponding public encryption key that can be used toverify the cryptographic signature 186. The cryptographic signature 186can also be used to determine whether the claim 183 has been modifiedwithout the consent of the entity making the claim 183. For example, anunauthorized change to the claim 183 would result in a mismatch betweenthe signature 186 and the claim 183.

An asymmetric key-pair 176 can include any public/private key-pairgenerated by or on behalf of the user. The asymmetric key-pair 176 canbe used by the user to generate new identity documents 163, verify theauthenticity of the identity documents 163, or to authenticate the userwith third-party applications, such as the hosted application 119.

The distributed ledger 113 represents a synchronized, eventuallyconsistent, data store spread across multiple nodes in differentgeographic or network locations. Each node in the distributed ledger 113can contain a replicated copy of the distributed ledger 113, includingall data stored in the distributed ledger 113. Records of transactionsinvolving the distributed ledger 113 can be shared or replicated using apeer-to-peer network connecting the individual nodes that form thedistributed ledger 113. Once a transaction or record is recorded in thedistributed ledger 113, it can be replicated across the peer-to-peernetwork until the record is eventually recorded with all nodes. Variousconsensus methods can be used to ensure that data is written reliably tothe distributed ledger 113. Examples of a distributed ledger can includeblockchains, distributed hash tables (DHTs), and similar datastructures.

Various data can be stored in a distributed ledger 113. This can includeone or more registered identity keys 189, one or more registeredidentity documents 193, one or more registered verified claims 196, andpotentially other data. The registered identity key 189 can be the sameas an identity key 159, albeit registered with and stored in thedistributed ledger 113 instead of being stored in a private locationsuch as the vault 169. Likewise, the registered identity document 193can be the same as an identity document 163, albeit registered with andstored in the distributed ledger 113 instead of being stored in aprivate location such as the vault 169. Similarly, the registeredverified claim 196 can be the same as a verified claim 173, albeitregistered with and stored in the distributed ledger 113 instead ofbeing stored in a private location such as the vault 169.

Identity keys 159 and identity documents 163 may be stored in thedistributed ledger 113 as registered identity keys 189 and registeredidentity documents 193 in order to provide a publicly accessible andimmutable record or copy of the respective identity key 159 or identitydocument 163. However, a user may not want to have a particular identitykey 159 or identity document 163 publicly available (e.g., to obscure orconceal portions of their identity for privacy reasons). In theseinstances, an identity key 159 or identity document 163 may be stored inthe vault 169 of an identity hub 109 instead of as registered identitykeys 189 or registered identity documents 193 stored in the distributedledger 113.

Next, a general description of the operation of the various componentsof the networked environment 100 is provided. A more detaileddescription of the operation of individual components is provided in thediscussion of FIGS. 2-6 . Moreover, while the following descriptionprovides one example of the interactions between the various componentsdepicted in the network environment 100 of FIG. 1 , they can beconfigured to operate in other manners, as discussed later.

To begin, a user of the client device 106 can attempt to access thehosted application 119 using the client application 146. In response tothe access attempt, the hosted application 119 can response with arequest for the client application 146 to authenticate the user. In someimplementations, the hosted application 119 can also provide a copy ofthe authentication client 153 to the client application 146 for use inauthenticating with the hosted application 119. For example, if theclient application 146 is a browser, then the hosted application 119could provide a JavaScript library to the browser for execution. Inother implementations, however, the authentication client 153 canalready be present or installed on the client device 106. In eitherimplementation, the client application 146 can then cause theauthentication client 153 to authenticate the user with the hostedapplication 119.

To authenticate the user with the hosted application 119, theauthentication client 153 can first supply a user identifier 133 and adevice fingerprint 139 to the hosted application 119. The hostedapplication 119 can then confirm whether it recognizes the devicefingerprint 139. For example, the hosted application 119 may determinewhether it has previously verified the device fingerprint 139 byquerying the user account 126 identified by the user identifier 133 toevaluate whether the device fingerprint 139 supplied by theauthentication application 153 has been stored in association with theuser account 126. If the device fingerprint 139 is recognized, and theauthentication client 153 or client application 146 has providedsufficient additional authentication credentials 136 (e.g., a passwordor passcode), then the hosted application 119 can authenticate the userand allow the client application 146 to access the functionalityprovided by the hosted application 119.

However, if the device fingerprint 139 is unrecognized, then the hostedapplication 119 can send a request for additional information toauthenticate the client application 146 and/or the client device 106. Inresponse, the client device 106 can supply one or more identity keys159, one or more verified claims 173, and a device fingerprint 139 tothe hosted application 119. This data can then be used by the hostedapplication 119 to verify the identity of the user of the clientapplication 146 and/or client device 106.

For example, the authentication client 153 could search the client datastore 156 for locally cached copies of identity keys 159 and providethem to the hosted application 119. As another example, theauthentication client 153 could retrieve the identity keys 159 from thevault 169 of an identity hub 109 or from the distributed ledger 113 (ifthe identity keys 159 were previously stored in the distributed ledger113 as registered identity keys 189) and provide them to the hostedapplication 119. This could occur, for example, if there are no identitykeys 159 stored in the client data store 156.

The authentication client 153 could also retrieve one or more verifiedclaims 173 from the vault 169 of the identity hub 109 and provide thoseverified claims 173 to the hosted application 119. The verified claims173 could then be evaluated and authenticated by the hosted application119 to confirm the identity of the user of the client application 146and/or client device 106.

As a first example, the authentication client 153 could provide anidentity key 159 and a verified claim 173 previously issued by thehosted application 119. The claim 183 could state that the identity key159 is owned, controlled, or otherwise associated with the same useridentified by the user identifier 133 in the user account 126. The claim183 could also have a signature 186 that was previously created by thehosted application 119 or the entity in control of the hostedapplication 119. The hosted application 119 could verify the signature186 to confirm the claim that the identity key 159 can be used toidentify the user associated with the user identifier 133. In responseto this verification, the hosted application 119 could then search forand retrieve the registered identity document 193 from the distributedledger 113 that is associated with the identity key 159 in the verifiedclaim 173. The hosted application 119 could then use the public key 179to create a cryptographic challenge that is issued to the authenticationclient 153.

In response to receipt of the cryptographic challenge, theauthentication client 153 could generate a cryptographic response toprove that it has access to the corresponding private key for the publickey 179. For instance, the authentication client 153 could retrieve theprivate key from the key-pair 176 stored in the vault 169 and use theprivate key to create the cryptographic response. Once the hostedapplication 119 receives and verifies the cryptographic response usingthe public key 179, the hosted application 119 could determine thatauthentication client 153 is authenticating on behalf of the user.Access to the hosted application 119 could then be granted, and thedevice fingerprint 139 could be saved or stored in the user account 126for use in authentication future access attempts.

As a second example, the authentication client 153 could provide anidentity key 159 and a verified claim 173 previously issued by athird-party. The claim 183 could state that the identity key 159 isowned, controlled, or otherwise associated with the same user identifiedby the user identifier 133 in the user account 126. The claim 183 couldalso have a signature 186 that was previously created by thethird-party. The hosted application 119 could verify the signature 186to confirm that the third-party made the claim 183.

In response to this verification, the hosted application 119 could thenevaluate one or more authentication rules 129 to determine whether theclaim 183 is sufficient to authenticate the user of the clientapplication 146 and/or client device 106. For example, somethird-parties might be more trusted than others. Accordingly, anauthentication rule 129 could specify that claims 183 made by certain,vetted third-parties are sufficient on their own to authenticate theidentity of the user. Meanwhile, other authentication rules 129 mightspecify that claims 183 made by less-trusted third-parties can only beused for authentication if multiple, independent claims 183 made byindependent third-parties are provided (e.g., two, three, five, etc.less-trusted third-parties must make the same claim 183 regarding therelationship between the identity key 159 and the user or useridentifier 133). In some instances, an authentication rule 129 couldeven specify that a claim 183 cannot be used for authentication becausethe third-party making the claim is untrusted (e.g., because thethird-party has a reputation for making incorrect or inaccurate claims183).

If the hosted application 119 verifies the signature 186 for the claim183 and determines that the authentication rules 129 indicate that theclaim 183 is trustworthy, then the hosted application 119 can rely onthe claim 183 in order to authenticate the user. Accordingly, the hostedapplication 119 can search for and retrieve the registered identitydocument 193 from the distributed ledger 113 that is associated with theidentity key 159 in the verified claim 173. The hosted application 119could then use the public key 179 to create a cryptographic challengethat is issued to the authentication client 153.

In response to receipt of the cryptographic challenge, theauthentication client 153 could generate a cryptographic response toprove that it controls the corresponding private key for the public key179. For instance, the authentication client 153 could retrieve theprivate key from the key-pair 176 stored in the vault 169 and use theprivate key to create the cryptographic response. Once the hostedapplication 119 receives and verifies the cryptographic response usingthe public key 179, the hosted application 119 could determine thatauthentication client 153 is authenticating on behalf of the user.Access to the hosted application 119 could then be granted, and thedevice fingerprint 139 could be saved or stored in the user account 126for use in authentication during future access attempts.

Continuing with this second example, once the hosted application 119 hasverified the user, the hosted application 119 can make its own verifiedclaim 173 specifying that the identity key 159 uniquely identifies theuser associated with the user identifier 133. For example, the hostedapplication 119 could create the verified claim 173. The hostedapplication 119 could then insert the identity key 159 for the verifiedclaim 173 and the claim 183 that the user identifier 133 is associatedwith or identified by the identity key 159. The hosted application 119could finally create a signature 186 for the claim 183 using acryptographic key controlled by the hosted application 119 and add thesignature 186 to the verified claim 173. The verified claim 173 couldthen be provided to the authentication client 153 for future use.

Referring next to FIG. 2 , shown is a flowchart that provides oneexample of the operation of a portion of the authentication client 153.It is understood that the flowchart of FIG. 2 provides merely an exampleof the many different types of functional arrangements that can beemployed to implement the operation of the depicted portion of theauthentication client 153. As an alternative, the flowchart of FIG. 2can be viewed as depicting an example of elements of a methodimplemented in the network environment 100.

Beginning with step 203, the authentication client 153 can receive anauthentication request from another application, such as the hostedapplication 119. The authentication request may be received from thehosted application 119 as part of the authentication process between theclient application 146 or authentication client 153 and the hostedapplication 119. For instance, the authentication request can indicatethat one or more device fingerprints 139 previously provided by theclient application 146 or authentication client 153 were not recognizedby the hosted application 119. This could occur, for example, when auser attempts to access the hosted application 119 using a new clientdevice 106 or a new version of the client application 146.

Next at step 206, the authentication client 153 can determine whetherany identity keys 153 associated with the user identifier 133 or thedevice fingerprint 139 are stored locally on the client device. Forexample, the authentication client 153 can check the client data store156 for the presence of appropriate identity keys 159 associated withthe device fingerprint 139 of the client device 106. In some instances,if the authentication client 153 determines that an identity key 159associated with the device fingerprint 139 is present in the client datastore 156, the authentication client 153 can further confirm whether theidentity key 159 is current. For example, the authentication client 153could also determine whether the identity key 159 is current bydetermining whether the entry for the identity key 159 in the clientdata store 156 is older than a predefined limit (e.g., one week, onemonth, three months, etc.). If one or more identity keys 159 associatedwith the device fingerprint 139 are stored in the client data store 156,the authentication client 153 proceeds to step 209. Otherwise, theauthentication client 153 skips to step 213.

Moving on to step 209, the authentication client 153 can retrieve theidentity keys 159 from the client data store 156. In someimplementations, the authentication client 153 may also be tasked withproviding one or more verified claims 173 to the hosted application 119.In these implementations, the process would continue to step 213. Inthose alternative implementations where the hosted application 119 isconfigured to retrieve verified claims 173 independently of the clientdevice 106 (e.g., by retrieving registered verified claims 196 from thedistributed ledger 113), then the process could skip to step 223.

Proceeding to step 213, the authentication client 153 can cause a promptto be rendered within the user interface 149 of the client application146 on the display 143 of the client device 106. The prompt may ask forthe user to select an identity hub 109 or a vault 169 within an identityhub 109 and provide authentication credentials to access the vault 169within the identity hub 109. After the user provides the requestedinformation in the prompt, the process continues to step 216.

Then at step 216, the authentication client 153 can access the vault 169hosted by the identity hub 109 to retrieve one or more identity keys 159and/or one or more verified claims 173. For example, the authenticationclient 153 can provide the credentials to the credential manager 166.Once the credential manager 166 authenticates the authentication client153, the authentication client 153 can send a query to the credentialmanager 166 to retrieve one or more identity keys 159 and/or verifiedclaims 173. For example, the authentication client 153 could send aquery to the credential manager 166 specifying the device fingerprint139 and/or the user identifier 133 in order to retrieve the desiredidentity keys 159 and/or verified claims 173. In some implementations,however, the authentication client 153 could query the vault 169directly after authenticating with the credential manager 166.

Next, at step 219, the authentication client 153 can receive therequested identity keys 159 and verified claims 173 in response to thequery provided at step 216.

Proceeding from either step 209 or step 219 to step 223, theauthentication client 153 can send the identity keys 159 and/or verifiedclaims 173 to the hosted application 119. This can be done in order toshow the hosted application 119 that the device fingerprint 139 is avalid device fingerprint 139 for the user identifier 133.

Next at step 226, the authentication client 153 can receive acryptographic challenge from the hosted application 119. Thecryptographic challenge can contain a token that has been encryptedusing the public key 179 specified in an identity document 163associated with the identity key 159. By decrypting the token using arespective private key in the key-pair 176 that includes the public key179, the authentication client 153 can prove, at the following step 229,the user is the owner of the identity key 159 that is the subject of theverified claim 173.

Then at step 229, the authentication client 153 can provide a responseto the cryptographic challenge. The response can include, for example, adigital signature of the token generated by the private key for thepublic key 179 used to encrypt the token.

Referring next to FIG. 3 , shown is a flowchart that provides anotherexample of the operation of another portion of the authentication client153. It is understood that the flowchart of FIG. 3 provides merely anexample of the many different types of functional arrangements that canbe employed to implement the operation of the portion of theauthentication client 153. As an alternative, the flowchart of FIG. 3can be viewed as depicting an example of elements of a methodimplemented in the network environment 100.

Beginning with step 303, the authentication client 153 can generate anidentity key 159. In order to ensure that the identity key 159 is uniquewith respect to other identity keys 159, various approaches may be used.For example, a pseudorandom number generator may be used to generate atleast a portion of the identity key 159. As another example, the mostrecently added registered identity key 189 could be queried and thenetwork address of the newly created identity key 159 could be based atleast in part on the network address specified by the registeredidentity key 189. For example, if the registered identity key 189 mostrecently added to the distributed ledger 113 contained the URN“did:example:123456,” then the newly created identity key could be“did:example:123457.” However, other approaches may also be used.

Then at step 306, the authentication client 153 can create a newasymmetric key-pair 176. The asymmetric key-pair 176 can be createdusing various approaches. For example, the asymmetric key-pair 176 couldbe created using elliptic curve cryptography or theRivest-Shamir-Adleman (RSA) algorithm.

Next at step 309, the authentication client 153 can generate an identitydocument 163 associated with the identity key 159. The authenticationclient 153 can add both the identity key 159 previously created at step303 and the public key of the key-pair 176 created at step 306.

Proceeding to step 313, the authentication client 153 can then send arequest for a signed claim 183 to the hosted application 119. Therequest may be made, for example, after the authentication client 153has already authenticated with the hosted application 119 (e.g., duringthe process previously described in FIG. 2 or similar processes).However, the request can also include authentication data, such as theuser identifier 133, the authentication credentials 136, and/or thedevice fingerprint 139 associated with the user account 126. The requestcan also include the identity key 159 and/or the identifier document 163previously created at steps 303 and 309.

Then at step 316, the authentication client 153 can received a signedcopy of the claim 183 in response. For example, the authenticationclient 153 can receive both the claim 183 and a signature 186 created bythe hosted application 119 for the claim 183.

Finally, at step 319, the authentication client 153 can create and savea verified claim 173. The verified claim 173 can include the identitykey 159, the claim 183, and the signature 186. The verified claim 173can, in some implementations be registered in the distributed ledger 113as a registered verified claim 196 to allow the claim 183 to be publiclyavailable. However, the verified claim 173 can also be stored privately,such as in the vault 169 of an identity hub 109, in order to hide orconceal from public view the relationship between the user and thehosted application 119.

Referring next to FIG. 4 , shown is a flowchart that provides oneexample of the operation of a portion of the hosted application 119. Itis understood that the flowchart of FIG. 4 provides merely an example ofthe many different types of functional arrangements that can be employedto implement the operation of the depicted portion of the hostedapplication 119. As an alternative, the flowchart of FIG. 4 can beviewed as depicting an example of elements of a method implemented inthe network environment 100.

Beginning with step 403, the hosted application 119 can receive anauthentication request from the authentication client 153. Theauthentication request can be received, for example, as part of anattempt or request made by the client application 146 to accessresources or capabilities made available by the hosted application 119.The authentication request can include the user identifier 133associated with a user account 126, as well as one or moreauthentication credentials 136 associated with the user account 126, anda device fingerprint 139.

Then at step 406, the hosted application 119 can determine whether thedevice fingerprint 139 is recognized. For example, the user may havepreviously successfully authenticated with the hosted application 119using the client device 106, in which case the device fingerprint 139may be stored in the user account 126 stored in the hosted data store123. If device fingerprint 139 is stored in the user account 126, thenit can be recognized as being associated with a previous successfulauthentication attempt. If the device fingerprint 139 is recognized,then the process skips to step 429. However if the device fingerprint139 is unrecognized, as may happen if a user is attempting toauthenticate with the hosted application 119 for the first time with theclient device 106, then the process proceeds to step 409.

Next at step 409, the hosted application 119 sends a request for anidentity key 153 and a verified claim 173. For example, the hostedapplication 119 may request an identity key 153 and a verified claim 173that shows that the user identifier 133 is associated with theunrecognized device fingerprint 139. The hosted application 119 can thenreceive the identity key 153 and verified claim 173.

Proceeding to step 413, the hosted application 119 can evaluate theverified claim 173. For example, the hosted application 119 may firstdetermine that the identity key 153 matches the identity key 153specified by the verified claim 173. Then the hosted application 119 canevaluate the claim 183 and the signature 186 of the claim 183 todetermine the veracity of the claim 183. Finally, the hosted application119 evaluates the claim 183 itself to determine whether the useridentifier 133 is associated with the unrecognized device fingerprint139. If all of these evaluations are true, namely that the verifiedclaim 173 is linked to the user identifier 133, the signature 186matches the claim 183, and the claim 183 states that the user identifier133 is associated with the unrecognized device fingerprint 139, then theprocess proceeds to step 416. Otherwise, the process proceeds to step433.

Then at step 416, the hosted application 119 can determine whether theverified claim 173 is trusted. For example, the hosted application 119might determine the entity that asserted the claim 183 and make adetermination regarding the trustworthiness of the claim 183 based onone or more authentication rules 129. For example, if the asserted claim183 is made by a trusted or vetted entity, as recognized by thesignature 186, then an authentication rule 129 could specify that thehosted application 119 is to trust the assertion made by the verifiedclaim 173. As another example, if the asserted claim 183 is made by anentity that is not trusted (e.g., an unknown entity or an entity with areputation for being inaccurate), then an authentication rule 129 couldspecify that the hosted application 119 is to not trust the assertionmade by the verified claim 173. An authentication rule 129 could alsospecify that the verified claim 173 can be trusted, but only if apredefined number of other verified claims 173 make the same assertion(e.g., a verified claim 173 can be trusted if three (3) or more otherverified claims 173 make the same assertion). Similarly, anauthentication rule 129 could specify that a verified claim 173 is to betrusted, unless a predefined number of other verified claims 173contradict the first verified claim 173. If the hosted application 119determines that the verified claim 173 is to be trusted, then theprocess proceeds to step 419. However, if the hosted application 119determines that verified claim 173 is not trusted, then the processproceeds to step 433.

Next at step 419, the hosted application 119 can create and send acryptographic challenge to the authentication client 153. First, thehosted application 119 can obtain an appropriate identity document 163.Then, the hosted application 119 can use a public key 179 specified inthe identity document 163 to create the cryptographic challenge.

The hosted application 119 could retrieve an identity document 163, suchas a registered identity document 193 from the distributed ledger 113 oran identity document 163 stored in the vault 169, that is linked to theidentity key 159. For example, the hosted application 119 could use theidentity key 159 as a key to locate and retrieve a registered identitydocument 193 from the distributed ledger 113. As another example, thehosted application 119 could note that the identity key 159 specifiesthat the identity document 163 is stored in the vault 169. Accordingly,the hosted application 119 could provide the identity key 159 to thecredential manager 166 of the identity hub 109 and receive a copy of theidentity document 163 in response.

Once the hosted application 119 retrieves the identity document 163, thehosted application 119 can generate a token. The token can then beencrypted using the public key 179 to generate the cryptographicchallenge. Therefore, only a user with access to the respective privatekey can decrypt the cryptographic challenge. If the user of the clientdevice 106 is, indeed, the owner or controller of the identity key 159and identity document 163, then the user will also have the respectiveprivate key. Once the cryptographic challenge is generated, it can besent to the authentication client 153.

Moving on to step 423, the hosted application 119 can receive a responseto the cryptographic challenge and determine whether or not it is avalid response. A valid response will contain at least the token, inunencrypted form, and signature for the token generated by therespective private key of the public key 179. The combination of theunencrypted token and the signature indicates that the authenticationclient 153 had access to the respective private key of the public key179. Accordingly, the hosted application 119 could determine that theoperator of the client device 106 is the authorized user identified bythe user identifier 133 because the operator of the client device 106can prove control of the private key for the respective public key 179associated with the identity key 159 for which the claim 183 was madethat the owner of the identity key 159 is also the user identified bythe user identifier 133 who also uses a client device 106 with theunrecognized device fingerprint 139. If the response is valid, then theprocess proceeds to step 426. If the response is invalid, then theresponse proceeds instead to step 433.

Then at step 426, the hosted application 119 can store the unrecognizeddevice fingerprint 139 in the user account 126. This can create a recordof a relationship between the device fingerprint 139, the useridentifier 1333, and the authentication credentials 136. As a result,the device fingerprint 139 can be used in the future to authenticate theuser.

Next at step 429, the hosted application 119 can grant access to theclient application 146 to access the resources provided by the hostedapplication 119. The process then ends.

However, if the process had instead proceeded to step 433, the hostedapplication 119 could deny access to the client application 146. In theevent that access is denied, the previously described process ends.However, the client application 146 could always attempt to reconnectand reauthenticate with the hosted application 119 using theauthentication client 153.

Referring next to FIG. 5 , shown is a flowchart that provides oneexample of the operation of a portion of the hosted application 119. Itis understood that the flowchart of FIG. 5 provides merely an example ofthe many different types of functional arrangements that can be employedto implement the operation of the depicted portion of the hostedapplication 119. As an alternative, the flowchart of FIG. 5 can beviewed as depicting an example of elements of a method implemented inthe network environment 100.

Many of the steps illustrated in FIG. 5 are the same as or substantiallysimilar to the steps depicted in FIG. 4 . For example, the operationsperformed by the hosted application 119 at steps 503, 506, 513, 516,519, 523, 526, 529, and 533 are the same as or substantially similar torespective steps 403, 406, 413, 416, 419, 423, 426, 429, and 433 asdepicted in FIG. 4 . However, step 509 differs from respective step 409of FIG. 4 and the flowchart of FIG. 5 contains the additional step 511.

Beginning with step 503, the hosted application 119 can receive anauthentication request from the authentication client 153. Theauthentication request can be received, for example, as part of anattempt or request made by the client application 146 to accessresources or capabilities made available by the hosted application 119.The authentication request can include the user identifier 133associated with a user account 126, as well as one or moreauthentication credentials 136 associated with the user account 126, anda device fingerprint 139.

Then at step 506, the hosted application 119 can determine whether thedevice fingerprint 139 is recognized. For example, the user may havepreviously successfully authenticated with the hosted application 119using the client device 106, in which case the device fingerprint 139may be stored in the user account 126 stored in the hosted data store123. If device fingerprint 139 is stored in the user account 126, thenit can be recognized as being associated with a previous successfulauthentication attempt. If the device fingerprint 139 is recognized,then the process skips to step 529. However if the device fingerprint139 is unrecognized, as may happen if a user is attempting toauthenticate with the hosted application 119 for the first time with theclient device 106, then the process proceeds to step 509.

At step 509 the hosted application 119 can request the identity key 159.In some implementations, the hosted application 119 can send a requestto the authentication client 153 for the identity key 159. However, inother implementations, the hosted application 119 could search adistributed ledger 113 for a respective registered identity key 189associated with the device fingerprint 139 in order to obtain theidentity key 159. In either implementation of this embodiment, noverified claims 173 are requested from the authentication client 153 atstep 509.

Then, at step 511, the hosted application 119 can use the identity key159 to retrieve one or more registered verified claims 196 from thedistributed ledger 113. For example, the hosted application 119 coulduse the identity key 159 as a key for searching and retrieving one ormore matching registered verified claims 196. By searching a distributedledger 113 for the registered verified claims 196, the hostedapplication 119 can access claims 183 asserted by any third-party thathas stored a registered verified claim 196 in the distributed ledger 113instead of being limited to only those verified claims 173 provided bythe authentication client 153, as described in the discussion of FIG. 4. For example, the authentication client 153 might only provide aselected group of verified claims 173 that would be likely to result inthe hosted application 119 granting access to the client application146. However, the distributed ledger 113 might contain registeredverified claims 196 that would cause an authentication rule 129 toinstruct the hosted application 119 to deny access.

Proceeding to step 513, the hosted application 119 can evaluate theverified claim 173. For example, the hosted application 119 may firstdetermine that the identity key 153 matches the identity key 153specified by the verified claim 173. Then the hosted application 119 canevaluate the claim 183 and the signature 186 of the claim 183 todetermine the veracity of the claim 183. Finally, the hosted application119 evaluates the claim 183 itself to determine whether the useridentifier 133 is associated with the unrecognized device fingerprint139. If all of these evaluations are true, namely that the verifiedclaim 173 is linked to the user identifier 133, the signature 186matches the claim 183, and the claim 183 states that the user identifier133 is associated with the unrecognized device fingerprint 139, then theprocess proceeds to step 516. Otherwise, the process proceeds to step533.

Then at step 516, the hosted application 119 can determine whether theverified claim 173 is trusted. For example, the hosted application 119might determine the entity that asserted the claim 183 and make adetermination regarding the trustworthiness of the claim 183 based onone or more authentication rules 129. For example, if the asserted claim183 is made by a trusted or vetted entity, as recognized by thesignature 186, then an authentication rule 129 could specify that thehosted application 119 is to trust the assertion made by the verifiedclaim 173. As another example, if the asserted claim 183 is made by anentity that is not trusted (e.g., an unknown entity or an entity with areputation for being inaccurate), then an authentication rule 129 couldspecify that the hosted application 119 is to not trust the assertionmade by the verified claim 173. An authentication rule 129 could alsospecify that the verified claim 173 can be trusted, but only if apredefined number of other verified claims 173 make the same assertion(e.g., a verified claim 173 can be trusted if three (3) or more otherverified claims 173 make the same assertion). Similarly, anauthentication rule 129 could specify that a verified claim 173 is to betrusted, unless a predefined number of other verified claims 173contradict the first verified claim 173. If the hosted application 119determines that the verified claim 173 is to be trusted, then theprocess proceeds to step 519. However, if the hosted application 119determines that verified claim 173 is not trusted, then the processproceeds to step 533.

Next at step 519, the hosted application 119 can create and send acryptographic challenge to the authentication client 153. First, thehosted application 119 can obtain an appropriate identity document 163.Then, the hosted application 119 can use a public key 179 specified inthe identity document 163 to create the cryptographic challenge.

The hosted application 119 could retrieve an identity document 163, suchas a registered identity document 193 from the distributed ledger 113 oran identity document 163 stored in the vault 169, that is linked to theidentity key 159. For example, the hosted application 119 could use theidentity key 159 as a key to locate and retrieve a registered identitydocument 193 from the distributed ledger 113. As another example, thehosted application 119 could note that the identity key 159 specifiesthat the identity document 163 is stored in the vault 169. Accordingly,the hosted application 119 could provide the identity key 159 to thecredential manager 166 of the identity hub 109 and receive a copy of theidentity document 163 in response.

Once the hosted application 119 retrieves the identity document 163, thehosted application 119 can generate a token. The token can then beencrypted using the public key 179 to generate the cryptographicchallenge. Therefore, only a user with access to the respective privatekey can decrypt the cryptographic challenge. If the user of the clientdevice 106 is, indeed, the owner or controller of the identity key 159and identity document 163, then the user will also have the respectiveprivate key. Once the cryptographic challenge is generated, it can besent to the authentication client 153.

Moving on to step 523, the hosted application 119 can receive a responseto the cryptographic challenge and determine whether or not it is avalid response. A valid response will contain at least the token, inunencrypted form, and signature for the token generated by therespective private key of the public key 179. The combination of theunencrypted token and the signature indicates that the authenticationclient 153 had access to the respective private key of the public key179. Accordingly, the hosted application 119 could determine that theoperator of the client device 106 is the authorized user identified bythe user identifier 133 because the operator of the client device 106can prove control of the private key for the respective public key 179associated with the identity key 159 for which the claim 183 was madethat the owner of the identity key 159 is also the user identified bythe user identifier 133 who also uses a client device 106 with theunrecognized device fingerprint 139. If the response is valid, then theprocess proceeds to step 526. If the response is invalid, then theresponse proceeds instead to step 533.

Then at step 526, the hosted application 119 can store the unrecognizeddevice fingerprint 139 in the user account 126. This can create a recordof a relationship between the device fingerprint 139, the useridentifier 1333, and the authentication credentials 136. As a result,the device fingerprint 139 can be used in the future to authenticate theuser.

Next at step 529, the hosted application 119 can grant access to theclient application 146 to access the resources provided by the hostedapplication 119. The process then ends.

However, if the process had instead proceeded to step 533, the hostedapplication 119 could deny access to the client application 146. In theevent that access is denied, the previously described process ends.However, the client application 146 could always attempt to reconnectand reauthenticate with the hosted application 119 using theauthentication client 153.

Referring next to FIG. 6 , shown is a flowchart that provides oneexample of the operation of a portion of the hosted application 119. Itis understood that the flowchart of FIG. 6 provides merely an example ofthe many different types of functional arrangements that can be employedto implement the operation of the depicted portion of the hostedapplication 119. As an alternative, the flowchart of FIG. 6 can beviewed as depicting an example of elements of a method implemented inthe network environment 100.

Beginning with step 603, the hosted application 119 can receive from theauthentication client 153 an identity key 159 to be associated with thedevice fingerprint 139 and the device fingerprint 139 itself. Theidentity key 159 and device fingerprint 139 could be provided by theauthentication client 153 as part of a request for a verified claim 173that asserts that the owner or controlling entity of the identity key159 can be identified or is otherwise associated with the devicefingerprint 139.

Then at step 606, the hosted application 119 can request the useridentifier 133 and authentication credentials 136 for a user account 126that is already associated with the device fingerprint 139. For example,the user account 126 may have already been verified as being associatedwith the device fingerprint 139 based at least in part on a verifiedclaim 173 or registered verified claim 196 issued by a third-party. Theuser identifier 133 and authentication credentials 136 can be requestedin order to verify that the client device 106 making the request for theverified claim 173 is controlled by an authorized user as represented bythe user account 126.

Next at step 609, the hosted application 119 can then receive the useridentifier 133 and authentication credentials 136 in response to therequest made at step 606.

Moving on to step 613, the hosted application 119 can verify theauthentication credentials 136. For example, the hosted application 119could query the user account 126 to see if the received authenticationcredentials 136 match the authentication credentials 136 stored in theuser account 126 identified by the user identifier 133 and the devicefingerprint 139. If the received authentication credentials 136 matchthose on file, then the authentication credentials 136 could bedetermined to be valid and the request for the verified claim 173 couldbe considered to be a request made by an authorized user.

Proceeding next to step 616, the hosted application 119 can generate theverified claim 173. For example, the hosted application 119 could createa claim 183 that asserts that the device fingerprint 139 is associatedwith or otherwise identifies the user that owns or controls the identitykey 159 received at step 603. The hosted application 119 could thencreate a signature 186 based at least in part on the claim 183. Thesignature, 186, the claim 183, and the identity key 159 can then bestored in the verified claim 173.

Then at step 619, the hosted application 119 can provide the verifiedclaim 173 to the authentication client 153 in response. In someimplementations, however, the hosted application 119 can also store theverified claim 173 in the distributed ledger 113 specified by theidentity key 159 to create a registered verified claim 196. Making theverified claim 173 publicly available as a registered verified claim 196may be done, for example, to allow other parties to retrieve theregistered verified claim 196 to authenticate the user in the future.

A number of software components previously discussed are stored in thememory of the respective computing devices and are executable by theprocessor respective computing devices. In this respect, the term“executable” means a program file that is in a form that can ultimatelybe run by the processor. Examples of executable programs can be acompiled program that can be translated into machine code in a formatthat can be loaded into a random access portion of the memory and run bythe processor, source code that can be expressed in proper format suchas object code that is capable of being loaded into a random accessportion of the memory and executed by the processor, or source code thatcan be interpreted by another executable program to generateinstructions in a random access portion of the memory to be executed bythe processor. An executable program can be stored in any portion orcomponent of the memory, including random access memory (RAM), read-onlymemory (ROM), hard drive, solid-state drive, Universal Serial Bus (USB)flash drive, memory card, optical disc such as compact disc (CD) ordigital versatile disc (DVD), floppy disk, magnetic tape, or othermemory components.

The memory includes both volatile and nonvolatile memory and datastorage components. Volatile components are those that do not retaindata values upon loss of power. Nonvolatile components are those thatretain data upon a loss of power. Thus, the memory can include randomaccess memory (RAM), read-only memory (ROM), hard disk drives,solid-state drives, USB flash drives, memory cards accessed via a memorycard reader, floppy disks accessed via an associated floppy disk drive,optical discs accessed via an optical disc drive, magnetic tapesaccessed via an appropriate tape drive, or other memory components, or acombination of any two or more of these memory components. In addition,the RAM can include static random access memory (SRAM), dynamic randomaccess memory (DRAM), or magnetic random access memory (MRAM) and othersuch devices. The ROM can include a programmable read-only memory(PROM), an erasable programmable read-only memory (EPROM), anelectrically erasable programmable read-only memory (EEPROM), or otherlike memory device.

Although the applications and systems described herein can be embodiedin software or code executed by general purpose hardware as discussedabove, as an alternative the same can also be embodied in dedicatedhardware or a combination of software/general purpose hardware anddedicated hardware. If embodied in dedicated hardware, each can beimplemented as a circuit or state machine that employs any one of or acombination of a number of technologies. These technologies can include,but are not limited to, discrete logic circuits having logic gates forimplementing various logic functions upon an application of one or moredata signals, application specific integrated circuits (ASICs) havingappropriate logic gates, field-programmable gate arrays (FPGAs), orother components, etc. Such technologies are generally well known bythose skilled in the art and, consequently, are not described in detailherein.

The flowcharts show the functionality and operation of an implementationof portions of the various embodiments of the present disclosure. Ifembodied in software, each block can represent a module, segment, orportion of code that includes program instructions to implement thespecified logical function(s). The program instructions can be embodiedin the form of source code that includes human-readable statementswritten in a programming language or machine code that includesnumerical instructions recognizable by a suitable execution system suchas a processor in a computer system. The machine code can be convertedfrom the source code through various processes. For example, the machinecode can be generated from the source code with a compiler prior toexecution of the corresponding application. As another example, themachine code can be generated from the source code concurrently withexecution with an interpreter. Other approaches can also be used. Ifembodied in hardware, each block can represent a circuit or a number ofinterconnected circuits to implement the specified logical function orfunctions.

Although the flowcharts show a specific order of execution, it isunderstood that the order of execution can differ from that which isdepicted. For example, the order of execution of two or more blocks canbe scrambled relative to the order shown. Also, two or more blocks shownin succession can be executed concurrently or with partial concurrence.Further, in some embodiments, one or more of the blocks shown in theflowcharts can be skipped or omitted. In addition, any number ofcounters, state variables, warning semaphores, or messages might beadded to the logical flow described herein, for purposes of enhancedutility, accounting, performance measurement, or providingtroubleshooting aids, etc. It is understood that all such variations arewithin the scope of the present disclosure.

Also, any logic or application described herein that includes softwareor code can be embodied in any non-transitory computer-readable mediumfor use by or in connection with an instruction execution system such asa processor in a computer system or other system. In this sense, thelogic can include statements including instructions and declarationsthat can be fetched from the computer-readable medium and executed bythe instruction execution system. In the context of the presentdisclosure, a “computer-readable medium” can be any medium that cancontain, store, or maintain the logic or application described hereinfor use by or in connection with the instruction execution system.

The computer-readable medium can include any one of many physical mediasuch as magnetic, optical, or semiconductor media. More specificexamples of a suitable computer-readable medium would include, but arenot limited to, magnetic tapes, magnetic floppy diskettes, magnetic harddrives, memory cards, solid-state drives, USB flash drives, or opticaldiscs. Also, the computer-readable medium can be a random access memory(RAM) including static random access memory (SRAM) and dynamic randomaccess memory (DRAM), or magnetic random access memory (MRAM). Inaddition, the computer-readable medium can be a read-only memory (ROM),a programmable read-only memory (PROM), an erasable programmableread-only memory (EPROM), an electrically erasable programmableread-only memory (EEPROM), or other type of memory device.

Further, any logic or application described herein can be implementedand structured in a variety of ways. For example, one or moreapplications described can be implemented as modules or components of asingle application. Further, one or more applications described hereincan be executed in shared or separate computing devices or a combinationthereof. For example, a plurality of the applications described hereincan execute in the same computing device, or in multiple computingdevices in the same computing environment 103 or network environment100.

Disjunctive language such as the phrase “at least one of X, Y, or Z,”unless specifically stated otherwise, is otherwise understood with thecontext as used in general to present that an item, term, etc., can beeither X, Y, or Z, or any combination thereof (e.g., X, Y, or Z). Thus,such disjunctive language is not generally intended to, and should not,imply that certain embodiments require at least one of X, at least oneof Y, or at least one of Z to each be present.

It should be emphasized that the above-described embodiments of thepresent disclosure are merely possible examples of implementations setforth for a clear understanding of the principles of the disclosure.Many variations and modifications can be made to the above-describedembodiments without departing substantially from the spirit andprinciples of the disclosure. All such modifications and variations areintended to be included herein within the scope of this disclosure andprotected by the following claims.

Therefore, the following is claimed:
 1. A method, comprising: receivingan authentication request from an application, the request comprising adevice fingerprint; determining an identity key associated with thedevice fingerprint, the identity key indicating the location of anidentity document associated with a signed claim identifying a user; andproviding the identity key to the application.
 2. The method of claim 1,further comprising: presenting a prompt within a user interface, theprompt being configured to solicit the user for authenticationcredentials to an identity hub; in response to receiving theauthentication credentials through the prompt, sending a request to theidentity hub for the identity key, the request comprising theauthentication credentials for the identity hub; and receiving theidentity key in response to sending the request to the identity hub. 3.The method of claim 1, wherein the device fingerprint comprises abrowser fingerprint for a browser.
 4. The method of claim 1, wherein theidentity key is a first identity key, the signed claim is a first signedclaim, and the method further comprises: generating a second identitykey and an asymmetric cryptographic key-pair associated with theidentity key and the identity document; and sending a request for asecond signed claim to the application, the request comprising anauthentication credential for the application and the devicefingerprint.
 5. The method of claim 4, further comprising registeringthe second identity key and the identity document with a distributedledger.
 6. The method of 4, further comprising: receiving the secondsigned claim; and storing the second identity key, the asymmetriccryptographic key-pair, and the second signed claim in an identity hub.7. The method of claim 1, wherein the device fingerprint comprises ahardware identifier of a computing device.
 8. A system, comprising: afirst computing device comprising a processor and a memory; andmachine-readable instructions stored in the memory that, when executedby the processor, cause the computing device to at least: receive, froman application executing on a second computing device, a fingerprint forthe second computing device; search a distributed ledger for an identitykey associated with the fingerprint for the second computing device, theidentity key being linked to a signed claim stored in the distributedledger; retrieve the signed claim from the distributed ledger; evaluatethe signed claim to determine that the fingerprint identifies anauthorized user account; and grant the application executing on thesecond computing device access to a computing resource in response toevaluating the signed claim.
 9. The system of claim 8, wherein themachine-readable instructions that cause the first computing device toobtain the identity key, when executed by the processor, further causethe first computing device to at least: request the identity key fromthe application executing on the second computing device; and receivethe identity key from the application executing on the second computingdevice.
 10. The system of claim 8, wherein the signed claim is a firstsigned claim, the identity key is a first identity key, and themachine-readable instructions, when executed by the processor, furthercause the first computing device to at least: receive a first requestfor a second signed claim from the application executing on the secondcomputing device; send a second request to the application executing onthe second computing device for a user identifier and an authenticationcredential; receive the user identifier and the authenticationcredential from the application executing on the second computingdevice; and verify the authentication credential.
 11. The system ofclaim 10, wherein the machine-readable instructions, when executed bythe processor, further cause the first computing device to at least:create a claim that asserts that the fingerprint identifies a clientdevice controlled by the authorized user account; sign the claim tocreate a second signed claim; and provide the second signed claim to theapplication executing on the second computing device.
 12. The system ofclaim 8, wherein the machine-readable instructions that cause the firstcomputing device to evaluate the signed claim, when executed by theprocessor, further cause the first computing device to at least:determine an identity of a signing entity of the signed claim; andevaluate an authentication rule to determine that the identity of thesigning entity is a trusted entity.
 13. The system of claim 8, whereinthe fingerprint is a hardware-based identifier associated with thecomputing device.
 14. The system of claim 8, wherein the application isa browser and the fingerprint is a browser fingerprint.
 15. A method,comprising: receiving, with a first computing device, an identity keyand a device fingerprint from an application executing on a secondcomputing device in network communication with the first computingdevice; sending, with the first computing device, a request for a useridentifier and an authentication credential to the application;receiving, with the first computing device, the user identifier and theauthentication credential from the application; verifying, with thefirst computing device, the authentication credential; generating, withthe first computing device, a claim that asserts that the identity keyis associated with the device fingerprint; and providing, with the firstcomputing device, the claim to the second computing device.
 16. Themethod of claim 15, further comprising registering, with the firstcomputing device, the claim with a distributed ledger to create aregistered verified claim.
 17. The method of claim 15, furthercomprising: generating, with the first computing device, a signature ofthe claim; and storing, with the first computing device, the claim, thesignature, and the identity key in the verified claim.
 18. The method ofclaim 15, wherein receiving the identity key and the device fingerprintoccurs in response to a previous determination that the identity key isassociated with the device fingerprint.
 19. The method of claim 15,wherein the device fingerprint is a hardware identifier associated withthe second computing device.
 20. The method of claim 15, wherein theapplication is a browser and the device fingerprint is a browserfingerprint for the second computing device.